What is the correct way of find out if user is logged in in MVC WEB API? - asp.net-mvc

I am very confused about this problem. Restfull service make it up to you to decide which way to implement this functionallity.
Ive read multiple articles about this problem, but every article says something different.
For example some people propopse sessions, but if you do that Web api is losing its "rest fullness". Other people suggest cockies.
I dont know if what i am done is actually done right:
On login of user i create a cockie which contains UserID(Guid) and on every request which needs user to be logged in i check if this id exsists in the DB.
Is it secure enough? Or how should i make it more secure? Or do i have to choose completly different way?

Just create authentication token on server-side and store it in your database or even in cache. Then send this token with requests from your client application. WebApi should check this token all the time. It's good enough and you have full control over your auth process.
Let me share, how it works for me:
Object with Auth details:
public class TokenIdentity
public int UserID { get; set; }
public string AuthToken { get; set; }
public ISocialUser SocialUser { get; set; }
Web API Auth Controller:
public class AuthController : ApiController
public TokenIdentity Post(
SocialNetwork socialNetwork,
string socialUserID,
[FromUri]string socialAuthToken,
[FromUri]string deviceRegistrationID = null,
[FromUri]DeviceType? deviceType = null)
var socialManager = new SocialManager();
var user = socialManager.GetSocialUser(socialNetwork, socialUserID, socialAuthToken);
var tokenIdentity = new AuthCacheManager()
return tokenIdentity;
Auth Cache Manager:
public class AuthCacheManager : AuthManager
public override TokenIdentity CurrentUser
var authToken = HttpContext.Current.Request.Headers["AuthToken"];
if (authToken == null) return null;
if (HttpRuntime.Cache[authToken] != null)
return (TokenIdentity) HttpRuntime.Cache.Get(authToken);
return base.CurrentUser;
public int? CurrentUserID
if (CurrentUser != null)
return CurrentUser.UserID;
return null;
public override TokenIdentity Authenticate(
ISocialUser socialUser,
DeviceType? deviceType = null,
string deviceRegistrationID = null)
if (socialUser == null) throw new ArgumentNullException("socialUser");
var identity = base.Authenticate(socialUser, deviceType, deviceRegistrationID);
return identity;
Auth Manager:
public abstract class AuthManager
public virtual TokenIdentity CurrentUser
var authToken = HttpContext.Current.Request.Headers["AuthToken"];
if (authToken == null) return null;
using (var usersRepo = new UsersRepository())
var user = usersRepo.GetUserByToken(authToken);
if (user == null) return null;
return new TokenIdentity
AuthToken = user.AuthToken,
SocialUser = user,
UserID = user.ID
public virtual TokenIdentity Authenticate(
ISocialUser socialUser,
DeviceType? deviceType = null,
string deviceRegistrationID = null)
using (var usersRepo = new UsersRepository())
var user = usersRepo.GetUserBySocialID(socialUser.SocialUserID, socialUser.SocialNetwork);
user = (user ?? new User()).CopyFrom(socialUser);
user.AuthToken = System.Guid.NewGuid().ToString();
if (user.ID == default(int))
return new TokenIdentity
AuthToken = user.AuthToken,
SocialUser = user,
UserID = user.ID
Global Action Filter:
public class TokenAuthenticationAttribute : System.Web.Http.Filters.ActionFilterAttribute
public override void OnActionExecuting(System.Web.Http.Controllers.HttpActionContext actionContext)
if (actionContext.Request.RequestUri.AbsolutePath.Contains("api/auth"))
var authManager = new AuthCacheManager();
var user = authManager.CurrentUser;
if (user == null)
throw new HttpResponseException(HttpStatusCode.Unauthorized);
//Updates the authentication
Global.asax registration:
GlobalConfiguration.Configuration.Filters.Add(new AuthFilterAttribute());
The idea is that AuthCacheManager extends AuthManager and decorates it's methods and properties. If there is nothing inside cache then go check database.
It's an example from real app, but I hope the idea is clear :)


Getting Error 400: invalid_request while redirecting Authorization page

Following this guide (https://developers.google.com/api-client-library/dotnet/guide/aaa_oauth#web-applications-asp.net-mvc) I made the code work in localhost but it gives an Error 400: invalid_request device_id and device_name are required for private IP: http://xx.xx.xx.xx:xxxxx/AuthCallback/IndexAsync while redirecting to Authorization page. We added subdomain in dns for our windows server ip address and registered the same subdomain in google api console. Why google gets ip address of the server instead of subdomain? Is the problem related to dns?
These are the working codes on local machine:
public class HomeController : Controller
public async Task<ActionResult> Index(CancellationToken cancellationToken)
var result = await new AuthorizationCodeMvcApp(this, new AppFlowMetadata()).
if (result.Credential != null)
var service = new GmailService(new BaseClientService.Initializer
HttpClientInitializer = result.Credential,
ApplicationName = "BPM Mail"
var gmailProfile = service.Users.GetProfile("me").Execute();
var userGmailEmail = gmailProfile.EmailAddress;
Utils.userMail = userGmailEmail;
Utils.cred = result.Credential;
//var list = await service.Files.List().ExecuteAsync();
//ViewBag.Message = "FILE COUNT IS: " + list.Items.Count();
return new RedirectResult("~/Apps/Mail/Default.aspx");
return new RedirectResult(result.RedirectUri);
public class AppFlowMetadata : FlowMetadata
private static readonly IAuthorizationCodeFlow flow =
new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer
ClientSecrets = new ClientSecrets
ClientId = "ClientId ",
ClientSecret = "ClientSecret "
Scopes = new[] { GmailService.Scope.GmailReadonly, GmailService.Scope.MailGoogleCom, GmailService.Scope.GmailModify },
DataStore = new FileDataStore("D:/bpm_mail/mytokens/token.json", true)
public override string GetUserId(Controller controller)
// In this sample we use the session to store the user identifiers.
// That's not the best practice, because you should have a logic to identify
// a user. You might want to use "OpenID Connect".
// You can read more about the protocol in the following link:
// https://developers.google.com/accounts/docs/OAuth2Login.
var user = controller.Session["user"];
//Utils.userId = user.ToString();
if (user == null)
user = Guid.NewGuid();
controller.Session["user"] = user;
return user.ToString();
public override IAuthorizationCodeFlow Flow
get { return flow; }
//public override string AuthCallback
// get { return #"/AuthCallback/IndexAsync"; }
public class AuthCallbackController : Google.Apis.Auth.OAuth2.Mvc.Controllers.AuthCallbackController
protected override Google.Apis.Auth.OAuth2.Mvc.FlowMetadata FlowData
get { return new AppFlowMetadata(); }
Issue solved by changing private ip to public one and redirect it to domain.

How to create a unique session for a user: ASP.NET

I have been learning ASP.NET and came to point where I realised that my web application is creating only a static session for all the users, that is if one logs out all the users are logged out, and sometimes the session is even swapped (lets say userA logs in and right after userB logs in, when the userA refreshes he is seeing the data of userB).
My SessionManager class is as below
public class SessionManager
#region Private Data
private static String USER_KEY = "user";
public static Employee CurrentUser
public static string UserType
public static Int32 SessionTimeout
return System.Web.HttpContext.Current.Session.Timeout;
public static String GetUserFullName()
if (SessionManager.CurrentUser != null)
return SessionManager.CurrentUser.FirstName;
return null;
public static Boolean IsUserLoggedIn
if (SessionManager.CurrentUser != null)
return true;
return false;
#region Methods
public static void AbandonSession()
for (int i = 0; i < System.Web.HttpContext.Current.Session.Count; i++)
System.Web.HttpContext.Current.Session[i] = null;
Login Controller:
public ActionResult Index(String txtUserName, String txtPassword)
if (User.Identity.IsAuthenticated)
return View();
if (ModelState.IsValid)
Employee obj = (from o in db.Employees
where o.Email == txtUserName && o.Password == txtPassword
select o).FirstOrDefault();
if (obj != null)
var dh = db.Departments.Where(x => x.LeadBy == obj.EmployeeId).FirstOrDefault();
var tl = db.Teams.Where(x => x.LeadBy == obj.EmployeeId).FirstOrDefault();
if (dh == null && tl == null)
Session["UserType"] = "EMP";
else if (dh != null && tl != null)
Session["UserType"] = "DH&TL";
else if (dh != null)
Session["UserType"] = "DH";
else if (tl != null)
Session["UserType"] = "TL";
SessionManager.CurrentUser = obj; //how can I create different obj for different users here?
var currentEnrollID = SessionManager.CurrentUser.EnrollNumber;
var currentEmployeeID = SessionManager.CurrentUser.EmployeeId;
var currentEmpName = SessionManager.CurrentUser.FirstName + " " + SessionManager.CurrentUser.LastName;
I have been using sessions like this in the whole application so a different approach would be hectic to amend the changes.
public ActionResult Logout()
if (SessionManager.IsUserLoggedIn)
SessionManager.CurrentUser.EmployeeId = 0;
return RedirectToAction("Index","Login");
This is not related to ASP.NET, but it is more on how static members work.
The real issue is your SessionsManager, which contains static methods that you store values every time the user logs-in. This means the same instance is shared across different session in the application.
I have an update SessionManager you can see below. I have stored the SessionManager object in the session object so that as long the session is alive. It will return the same instance by session when you call it using SessionManager.Current.
public class SessionManager {
#region Private Data
private static String USER_KEY = "user";
public static SessionManager Current {
if (HttpContext.Current.Session[USER_KEY] != null) {
return (SessionManager) HttpContext.Current.Session[USER_KEY];
} else {
var sess = new SessionManager ();
HttpContext.Current.Session[USER_KEY] = sess;
return sess;
public Employee CurrentUser {
public string UserType {
public Int32 SessionTimeout {
get {
return System.Web.HttpContext.Current.Session.Timeout;
public String GetUserFullName () {
if (SessionManager.Current.CurrentUser != null)
return SessionManager.Current.CurrentUser.FirstName;
return null;
public Boolean IsUserLoggedIn {
get {
if (SessionManager.Current.CurrentUser != null)
return true;
return false;
#region Methods
public void AbandonSession () {
for (int i = 0; i < System.Web.HttpContext.Current.Session.Count; i++) {
System.Web.HttpContext.Current.Session[i] = null;
System.Web.HttpContext.Current.Session.Abandon ();

Confusion on getting access token from google api with mvc

I've been trying to follow a number of tutorials I can find to have an mvc application allow a user to authenticate the app and get the access and refresh tokens back. Unfortunately I can't find any that are clear enough to where I can follow what's going on. I started with google's sample code and then found some others like this one and this one.
When I run my app I'm trying to go to http://localhost:61581/Integration/Google/IndexAsync it hits that method which eventually hits the AppFlowMetadata.GetUserId method and then hits my custom TenixDataStore class' GetAsync method.
The things that are confusing are
First off, am I going to the right url/method? I think I am based on google's code example but not sure.
I thought that the key I would get would be the email address but instead is a GUID. Is that how google identifies a user?
If I'm going to the right url, why does the page just hang and never return. I expected it to open a google authorization page which didn't happen.
Here's my code.
AppFlowMetadata class
using System.Web.Mvc;
using Google.Apis.Auth.OAuth2;
using Google.Apis.Auth.OAuth2.Flows;
using Google.Apis.Auth.OAuth2.Mvc;
using Google.Apis.Gmail.v1;
using Tenix.Domain.Constants;
namespace MyApp.Areas.Integration.Controllers
public class AppFlowMetadata : FlowMetadata
private static readonly IAuthorizationCodeFlow flow =
new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer
ClientSecrets = new ClientSecrets
ClientId = APIConstants.GMailApiKey,
ClientSecret = APIConstants.GmailApiSecret
Scopes = new[] {GmailService.Scope.GmailReadonly},
DataStore = new TenixDataStore()
public override IAuthorizationCodeFlow Flow
get { return flow; }
public override string GetUserId(Controller controller)
// In this sample we use the session to store the user identifiers.
// That's not the best practice, because you should have a logic to identify
// a user. You might want to use "OpenID Connect".
// You can read more about the protocol in the following link:
// https://developers.google.com/accounts/docs/OAuth2Login.
var user = controller.Session["UserID"];
if (user == null) return null;
return user.ToString();
using System.Threading;
using System.Threading.Tasks;
using System.Web.Mvc;
using Google.Apis.Auth.OAuth2.Mvc;
using Google.Apis.Gmail.v1;
using Google.Apis.Services;
namespace MyApp.Areas.Integration.Controllers
public class GoogleController : Controller
public async Task IndexAsync(CancellationToken cancellationToken)
if (Session["UserID"] == null)
Response.Redirect("~/Login.aspx", true);
var result = await new AuthorizationCodeMvcApp(this, new AppFlowMetadata()).AuthorizeAsync(cancellationToken);
if (result.Credential != null)
var service = new GmailService(new BaseClientService.Initializer
HttpClientInitializer = result.Credential,
ApplicationName = "Tenix Gmail Integration"
TenixDataStore class
using System;
using System.Threading.Tasks;
using DataBaseUtilitiesTEN;
using Google.Apis.Json;
using Google.Apis.Util.Store;
using Newtonsoft.Json.Linq;
using Synergy.Extensions;
using Tenix.Domain.Data.Respositories;
using Tenix.Domain.Model.Integration;
using Tenix.Domain.Services;
namespace MyApp.Areas.Integration.Controllers
public class TenixDataStore : IDataStore
private readonly string conStr = ConnectionStrings.GeneralInfo;
private CredentialService _service;
public TenixDataStore()
_service = new CredentialService(new CredentialRepository(conStr));
public Task StoreAsync<T>(string key, T value)
if (string.IsNullOrEmpty(key))
throw new ArgumentException("Key MUST have a value");
var serialized = NewtonsoftJsonSerializer.Instance.Serialize(value);
var jObject = JObject.Parse(serialized);
var access_token = jObject.SelectToken("access_token");
var refresh_token = jObject.SelectToken("refresh_token");
if (access_token == null)
throw new ArgumentException("Missing access token");
if (refresh_token == null)
throw new ArgumentException("Missing refresh token");
_service.SaveUserCredentials(new UserCredential
EmailAddress = key,
AccessToken = (string)access_token,
RefreshToken = (string)refresh_token
return Task.Delay(0);
public Task DeleteAsync<T>(string key)
return Task.Delay(0);
public Task<T> GetAsync<T>(string userId)
var credentials = _service.GetUserCredentials(userId.To<int>());
var completionSource = new TaskCompletionSource<T>();
if (!string.IsNullOrEmpty(credentials.AccessToken))
return completionSource.Task;
public Task ClearAsync()
return Task.Delay(0);
using Google.Apis.Auth.OAuth2.Mvc;
namespace MyApp.Areas.Integration.Controllers
public class AuthCallbackController : Google.Apis.Auth.OAuth2.Mvc.Controllers.AuthCallbackController
protected override FlowMetadata FlowData
get { return new AppFlowMetadata(); }
After spending days trying to figure this out and not making any headway with the google api .net libraries I ended up just going with my own implementation which after reading their documentation was at least something I could fully understand. In case anyone could use the code, here's what I ended up with. Still need to do some refactoring, but at this point it's working.
Just need to make sure the AuthorizeResponse and Authorize routes are registered as authorized redirect uris.
public class GoogleController : Controller
private readonly CredentialService _credentialService;
private readonly GoogleEndpoints _endpoints;
public GoogleController()
_endpoints = new GoogleEndpoints();
_credentialService = new CredentialService(new CredentialRepository(ConnectionStrings.GeneralInfo));
private string AuthorizeUrl
return "/Integration/Google/Authorize";
private string AuthorizeResponseUrl
return "/Integration/Google/AuthorizeResponse";
private string SaveResponseUrl
return "/Integration/Google/SaveResponse";
public void Authorize()
if (Session["UserID"] == null || Session["Email"] == null)
Response.Redirect("~/Login.aspx", true);
Session["LoginSource"] = AuthorizeUrl;
if (Session["SessionId"] == null || Session["SessionId"].ToString().Trim().Length == 0)
Session["SessionId"] = _credentialService.CreateSessionId(Session["UserID"].To<int>());
var url = _endpoints.AuthorizationEndpoint + "?" +
"client_id=" + APIConstants.GMailApiKey + "&" +
"response_type=code&" +
"scope=openid%20email&" +
"redirect_uri=" + AuthorizeResponseUrl + "&" +
"state=" + Session["SessionId"] + "&" +
"login_hint=" + Session["Email"] + "&" +
public ActionResult AuthorizeResponse()
var state = Request.QueryString["state"];
if (state == Session["SessionId"].ToString())
var code = Request.QueryString["code"];
var values = new Dictionary<string, object>
{"code", code},
{"redirect_uri", AuthorizeResponseUrl},
{"client_id", APIConstants.GMailApiKey},
{"client_secret", APIConstants.GmailApiSecret},
{"grant_type", "authorization_code"},
{"scope", ""}
var webmethods = new WebMethods();
var tokenResponse = webmethods.Post(_endpoints.TokenEndpoint, values);
var jobject = JObject.Parse(tokenResponse);
var access_token = jobject.SelectToken("access_token");
var refresh_token = jobject.SelectToken("refresh_token");
if (access_token == null || access_token.ToString().Trim().Length == 0)
//notify devs something went wrong
return View(new GoogleAuthResponse(tokenResponse, false));
var credentials = _credentialService.GetUserCredentials(Session["SessionId"].ToString());
credentials.AccessToken = access_token.ToString();
credentials.RefreshToken = refresh_token.ToString();
credentials.EmployeeId = Session["UserId"].To<int>();
return View(new GoogleAuthResponse("Integration successful!", true));
return View(new GoogleAuthResponse("Missing state information.", false));
And the helper class to get the google endpoints.
public class GoogleEndpoints
public GoogleEndpoints()
using (var client = new WebClient())
var response = client.DownloadString("https://accounts.google.com/.well-known/openid-configuration");
var jobject = JObject.Parse(response);
AuthorizationEndpoint = jobject.SelectToken("authorization_endpoint").ToString();
TokenEndpoint = jobject.SelectToken("token_endpoint").ToString();
public string AuthorizationEndpoint { get; private set; }
public string TokenEndpoint { get; private set; }
The controller uses another couple of helper classes for parsing the json and posting the form data, but that should be pretty straightforward.

Authenticate - provide login email address to lookup user identity

I am using Thinktecture AuthenticationConfiguration to provide an end point for signing tokens on my API:
var authConfig = new AuthenticationConfiguration
EnableSessionToken = true,
SendWwwAuthenticateResponseHeaders = true,
RequireSsl = false,
ClaimsAuthenticationManager = new ClaimsTransformation(),
SessionToken = new SessionTokenConfiguration
EndpointAddress = "/api/token",
SigningKey = signingKey,
DefaultTokenLifetime = new TimeSpan(1, 0, 0)
var userCredentialsService = new CredentialsService(credentialStore);
And authenticating users with CredentialsService:
public class CredentialsService
public bool Validate(string username, string password)
return username == password;
The above works, and no its certainly not used in production, but on returning true i will get a token in which contains a claim with the username.
In my scenario I have a user id (an integer) which can never change and I would like this to be in my claim. So the user would pass an email address to the service endpoint in the header as basic authentication, and then if valid go ahead and sign with the id as the claim (but not the email address as the claim):
public class CredentialsService
public bool Validate(string emailAddress, string password)
// map from the provided name, to the user id
var details = MySqlDb.ReadBy(emailAddress);
var id = details.Id; // this is the actual identity of the user
var email = details.EmailAddress;
var hash = details.Hash;
return PasswordHash.ValidatePassword(password,hash);
I appreciate this will need a second lookup to a sql server database to transform the emailAddress in to a userId, is there a way for me to insert this in to the pipeline flow before CredentialsService is called?
Or am i going about it the wrong way, and just stick with the username that was signed in as, then use a claims transformation based on the username to enrich with the integer identity - but then what if they changed the username?
Ok, I managed to solve this by taking a look at the awesome thinktecture source and overriding BasicAuthenticationSecurityTokenHandler to give a derived class which has a second delegate returning a Claim[] ready to be signed:
public class BasicAuthSecurityTokenHandlerWithClaimsOutput : BasicAuthenticationSecurityTokenHandler
public BasicAuthSecurityTokenHandlerWithClaimsOutput(ValidateUserNameCredentialDelegate validateUserNameCredential, GetClaimsForAuthenticatedUser getClaimsForAuthenticatedUser)
: base()
if (validateUserNameCredential == null)
throw new ArgumentNullException("ValidateUserNameCredential");
if (getClaimsForAuthenticatedUser== null)
throw new ArgumentNullException("GetClaimsForAuthenticatedUser");
base.ValidateUserNameCredential = validateUserNameCredential;
_getClaimsForAuthenticatedUser = getClaimsForAuthenticatedUser;
public delegate Claim[] GetClaimsForAuthenticatedUser(string username);
private readonly GetClaimsForAuthenticatedUser _getClaimsForAuthenticatedUser;
public override ReadOnlyCollection<ClaimsIdentity> ValidateToken(SecurityToken token)
if (token == null)
throw new ArgumentNullException("token");
if (base.Configuration == null)
throw new InvalidOperationException("No Configuration set");
UserNameSecurityToken unToken = token as UserNameSecurityToken;
if (unToken == null)
throw new ArgumentException("SecurityToken is not a UserNameSecurityToken");
if (!ValidateUserNameCredentialCore(unToken.UserName, unToken.Password))
throw new SecurityTokenValidationException(unToken.UserName);
var claims = new List<Claim>
new Claim(ClaimTypes.Name, unToken.UserName),
new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.Password),
var lookedUpClaims = _getClaimsForAuthenticatedUser(unToken.UserName);
if (RetainPassword)
claims.Add(new Claim("password", unToken.Password));
var identity = new ClaimsIdentity(claims, "Basic");
if (Configuration.SaveBootstrapContext)
if (this.RetainPassword)
identity.BootstrapContext = new BootstrapContext(unToken, this);
var bootstrapToken = new UserNameSecurityToken(unToken.UserName, null);
identity.BootstrapContext = new BootstrapContext(bootstrapToken, this);
return new List<ClaimsIdentity> {identity}.AsReadOnly();
I then added a second helper method to make it easier to wire up:
public static class BasicAuthHandlerExtensionWithClaimsOutput
public static void AddBasicAuthenticationWithClaimsOutput(
this AuthenticationConfiguration configuration,
BasicAuthenticationSecurityTokenHandler.ValidateUserNameCredentialDelegate validationDelegate,
BasicAuthSecurityTokenHandlerWithClaimsOutput.GetClaimsForAuthenticatedUser getClaimsForAuthenticatedUserDelegate,
string realm = "localhost", bool retainPassword = false)
var handler = new BasicAuthSecurityTokenHandlerWithClaimsOutput(validationDelegate, getClaimsForAuthenticatedUserDelegate);
handler.RetainPassword = retainPassword;
configuration.AddMapping(new AuthenticationOptionMapping
TokenHandler = new SecurityTokenHandlerCollection { handler },
Options = AuthenticationOptions.ForAuthorizationHeader(scheme: "Basic"),
Scheme = AuthenticationScheme.SchemeAndRealm("Basic", realm)
Hope this helps others, please let me know if i have done something horrific!

Authentication in webAPI

I want to set Individual authentication for the web API application i have created in Visual studio 2013 using Asp.net . please tell me how can i do that .
VS 2013 by default provide several types of authentication while designing . i choose individual Authentication . But don't know how it works .
It is a little complicated! By default it is a Token-Based authenctication. Check these links for more details :
Individual Accounts in ASP.NET Web API: http://www.asp.net/vnext/overview/authentication/individual-accounts-in-aspnet-web-api
Understanding OWIN Forms authentication options : http://blogs.msdn.com/b/webdev/archive/2013/07/03/understanding-owin-forms-authentication-in-mvc-5.aspx#_Understanding_OWIN_Forms
also these links will help :
10 Things You Should Know about Tokens: http://blog.auth0.com/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies
Cookies vs Tokens. : http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/
